Ethereal-users: RE: [Ethereal-users] Ethereal and Site-to-Site VPNs

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Visser, Martin" <martin.visser@xxxxxx>
Date: Wed, 7 Apr 2004 07:17:30 +1000
Unless they the Netscreens are using an alternate path (which I assume is not the case) or telepathy, then the traffic must be crossing the router in valid IP packets and Ethernet frames. So are you saying that without the VPN (maybe the Netscreen just acting as a firewall) you can see the point-to-point traffic with Ethereal? (If you haven't done this do a ping or telnet between the Netscreens and verify that Ethereal sees the source MAC address of each device.)

Also the netscreen isn't trying to use >1518 byte ethernet frames is it? It could be that the hub and router are happy to forward these, but the NIC or driver on the ethereal PC is dropping them. Maybe you need to check the MTU.
I also assume you have no capture or display filters on.

Martin Visser ,CISSP
Network and Security Consultant 
Technology & Infrastructure - Consulting & Integration
HP Services

3 Richardson Place 
North Ryde, Sydney NSW 2113, Australia 

Phone: +61-2-9022-1670    
Mobile: +61-411-254-513
Fax: +61-2-9022-1800     
E-mail: martin.visserAThp.com
  

> -----Original Message-----
> From: ethereal-users-bounces@xxxxxxxxxxxx 
> [mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of PM 
> Systems - Chris Kroll
> Sent: Wednesday, 7 April 2004 3:42 AM
> To: Ethereal user support
> Subject: RE: [Ethereal-users] Ethereal and Site-to-Site VPNs
> 
> Well, I'm still not seeing any VPN traffic from these devices 
> even after I moved over to a standard 10mb Hub.  I'm stumped. 
>  FWIW, I get the same negative results when using Analyzer.
> 
> -----Original Message-----
> From: ethereal-users-bounces@xxxxxxxxxxxx
> [mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of 
> Ronnie Sahlberg
> Sent: Tuesday, April 06, 2004 12:03 PM
> To: Ethereal user support
> Subject: Re: [Ethereal-users] Ethereal and Site-to-Site VPNs
> 
> Try using real hubs instead of 10/100 dual speed "hubs"
> 
> A dual speed 10/100 "hub" is not a hub at all, they are 
> either just a standard low-end unmanaged switch or they may 
> be two different hubs, one 10mbit and one 100mbit inside the 
> same enclosure and connected internally together with a 2 port switch.
> 
> If the latter, then you really have two different hubs and 
> will only see the data from the same collission domain as 
> where the ethereal box is connected.
> Make sure that the ethereal box connects to the hub at the 
> same speed as the netscreen box connects with or else you are 
> really connecting the ethereal box to a different hub and 
> hence you wont see anything.
> 
> If the former, then you really have a switch and you wont see 
> the traffic at all unless you set the switch up in 
> span/mirror mode  something that might not be possible on a 
> low end unmanaged switch.
> 
> 
> why they call these devices hubs is beyond me since they are 
> not hubs at all.
> 
> 
> ----- Original Message -----
> From: "PM Systems - Chris Kroll" <CKROLL@xxxxxxxxxxxxx>
> To: "Ethereal user support" <ethereal-users@xxxxxxxxxxxx>
> Sent: Tuesday, April 06, 2004 10:05 PM
> Subject: RE: [Ethereal-users] Ethereal and Site-to-Site VPNs
> 
> 
> Sorry for not provided more information in my previous message.  I am
> using two Netscreens to create the Site-to-site VPN so it will not be
> possible for me to load Ethereal on those devices.  The current end to
> end physical config is as follows:  Netscreen - "dumb" 10/100 
> hub - dual
> port 10/100 router - "dumb" 10/100 hub - Netscreen.  The PC that has
> Ethereal loaded has been placed on both sides of the router and I have
> successfully capture other data (ie Telnet, PINGS) to validate that
> ethereal is functioning.  I have also validated that the VPN 
> is up as I
> have transferred files between the protected networks.  It's 
> just crazy
> that absolutely nothing shows up from these devices, including the
> initial handshake.  Again, any advice is greatly appreciated.
> 
> Thanks
> 
> -----Original Message-----
> From: ethereal-users-bounces@xxxxxxxxxxxx
> [mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of 
> Visser, Martin
> Sent: Tuesday, April 06, 2004 12:54 AM
> To: Ethereal user support
> Subject: RE: [Ethereal-users] Ethereal and Site-to-Site VPNs
> 
> At a guess your ethereal box is probably connected to the same switch
> that your VPN device is on. If that it the case, then everything is
> functioning as expected. A ethernet switch by nature does not allow
> point to point (unicast) packets to be seen on ports other than those
> directly involved in the communication. The ARPs you are 
> seeing however
> are probably the ARP requests that are flooded to all ports 
> (as are all
> broadcasts). (A switch is functionally identical to a data-link layer
> bridge if you are trying to find out more info how this works)
> 
> To see the VPN traffic you either need to tell the switch to forward
> traffic on the VPN ports to the monitoring port (called 
> monitor or SPAN
> functionality on some switches). Or alternatively use a dumb
> hub/repeater which copies all seen traffic out of all ports.
> 
> If this is not the configuration then you might need to provide more
> info (for instance is ethereal actually running on the same 
> box ass the
> VPN)
> 
>  Regards, Martin
> 
> Martin Visser ,CISSP
> Network and Security Consultant
> Technology & Infrastructure - Consulting & Integration
> HP Services
> 
> 3 Richardson Place
> North Ryde, Sydney NSW 2113, Australia
> 
> Phone: +61-2-9022-1670
> Mobile: +61-411-254-513
> Fax: +61-2-9022-1800
> E-mail: martin.visserAThp.com
> 
> 
> 
> 
> 
> ________________________________
> 
> From: ethereal-users-bounces@xxxxxxxxxxxx
> [mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of PM Systems -
> Chris Kroll
> Sent: Tuesday, 6 April 2004 6:31 AM
> To: ethereal-users@xxxxxxxxxxxx
> Subject: [Ethereal-users] Ethereal and Site-to-Site VPNs
> 
> 
> 
> I am writing a practical which includes the validation of
> encrypted data on the untrusted side of a site-to-site VPN.  I was
> hoping to use Ethereal to at least verify that the traffic is in fact
> encrypted, however no traffic shows up from either VPN device with the
> exception of a couple of ARPs.  I've verified that Ethereal is set up
> appropriately by generating other traffic on this network.  
> Is this just
> a shortcoming of Etherreal or am I not doing something 
> correctly.  Also,
> I am not looking to decrypt the data, only validate that 
> encrypted data
> is being sent.  Thanks in advance!
> 
> 
> 
> Chris Kroll
> 
> Security Analyst
> 
> PM Systems Corporation - CUDefense Team
> 
> 800-233-4052 x207
> 
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
>